Hi Todd,
I was asked to inquire as to the feasibility of centrally collecting SUDO IO data.
The idea being, several geographically dispersed data centers, all full of various systems could benefit in sending their sudo io data to an external collector of sorts similar to how syslog-ng aggregates data; dropped into a dir hierarchy named by src host.
Wherein sudoreplay could then be used from a high level to identify which specific host in the fleet you are interested in, and then further down into the individual sessions etc.
(We could probably hack something together to transport the data, but its unclear at this point as to how sudoreplay would respond to that sort of dir hierarchy.)
Let me know your thoughts.
Thanks!
~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino | SANS GCIH
Info. Security Specialist
Citrix Online
Jr.Aquino at citrix.com<mailto:Jr.Aquino at citrixonline.com>